On 8/20/2004 7:42 AM, [log in to unmask] wrote:

 >>----- begin log extract (wrapped) -----
 >>19 Aug 2004 23:52:12 From [ANONYMOUS]@LISTSERV.ND.EDU:
 >>        X-LOGIN [log in to unmask] 12.218.67.84 PW=*****
 >>----- end -----
 >>
> Does anyone know why the password is listed as clear text?  That just begs
> for the PW to be compromised.

I agree that passwords should not appear in the log files, however, they
also appear in plain-text in the signup.* files in the listserv/home
directory, and on most systems, neither the log files nor the signup.*
files should be accessible by general users. There is always the risk that
an unscrupulous sysadmin might try to use someone's LISTSERV password to
gain access to other accounts owned by the same individual. (Research
indicates that most people use the same password for everything.) However,
it seems to me there is a greater danger that passwords being sent in clear
text across the open Internet will be compromised by anyone with access to
network traffic. L-Soft needs to make it easier to enable HTTPS for the
LISTSERV web interface. The last time I checked, you needed to chase down
and change several hard-coded instances of "http:" in the web templates.
These could be changed to use a variable controlled by the setting of a
keyword statement in the go.user file.

--
Paul Russell
Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame